gh0strat | d5f04de72d8459417ce0d14ddeb0e3107419ef534570d91a0c7bab4b0d0d8eb9

Sharing

Copy URL Twitter E-mail

General

Target

d5f04de72d8459417ce0d14ddeb0e3107419ef534570d91a0c7bab4b0d0d8eb9
Size

151KB
MD5

96cb60c06bd7906c476008898a2325d3
SHA1

6f1481eb61543da051e0bb64aaa043626ddd8e16
SHA256

d5f04de72d8459417ce0d14ddeb0e3107419ef534570d91a0c7bab4b0d0d8eb9
SHA512

e5ae5ee0084ebec5b5a6d3ddde37359a83efd343a9ae5ebdad7388f0dba6de192d3bbe299f7c466ad99fbb4cd3b39bca3cc07e98f0a38a67384a3e92c9fc1882
SSDEEP

3072:hAdVVRL/2rW5ZRh7kfrO9JmjsYv950ZjlcV6LlZWhfzK6rekZ/N:hAbVRLRZRxJGhvDylcV6LlurKhSN

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

d5f04de72d8459417ce0d14ddeb0e3107419ef534570d91a0c7bab4b0d0d8eb9
.exe windows x86

bd3bd3c2e07d375d5b09afb53aa982a5

Code Sign

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

22/08/2007, 22:31

Not After

25/08/2012, 07:00

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:06:27:81:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/10/2008, 21:24

Not After

22/01/2010, 21:34

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:49:7c:ed:00:00:00:00:00:05
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/09/2006, 01:55

Not After

16/09/2011, 02:05

Subject

CN=Microsoft Timestamping Service,OU=nCipher DSE ESN:10D8-5847-CBF8,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

16/09/2006, 01:04

Not After

15/09/2019, 07:00

Subject

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

71:a6:34:ce:12:bd:e6:28:10:ca:73:93:05:12:bc:ce:62:d2:85:77
Signer

Actual PE Digest

71:a6:34:ce:12:bd:e6:28:10:ca:73:93:05:12:bc:ce:62:d2:85:77

Digest Algorithm

sha1

PE Digest Matches

false

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

04/02/2009, 03:39
Valid: false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetSystemDirectoryA
ReleaseMutex
GetLastError
CreateMutexA
GetCommandLineA
lstrlenA
GetModuleHandleA
CreateThread
lstrcatA
FreeResource
WriteFile
LoadResource
FindResourceA
GetTickCount
GetTempPathA
GetStartupInfoA
GetFileAttributesA
DeleteFileA
MoveFileExA
WinExec
Process32First
Process32Next
lstrcmpiA
LoadLibraryA
GetProcAddress
CreateFileA
SetFilePointer
ReadFile
MoveFileA
CloseHandle

user32

PostThreadMessageA
GetMessageA
LoadIconA
LoadCursorA
RegisterClassExA
CreateWindowExA
ShowWindow
UpdateWindow
TranslateMessage
DispatchMessageA
DefWindowProcA
DestroyWindow
PostQuitMessage
wsprintfA
SendMessageA
GetInputState

advapi32

RegDeleteValueA
RegDeleteKeyA
RegSetValueExA
RegOpenKeyExA
RegCreateKeyExA
CreateServiceA
DeleteService
OpenServiceA
RegQueryValueExA
OpenSCManagerA
StartServiceA
ChangeServiceConfigA
RegCloseKey

msvcrt

_strcmpi
_exit
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
_XcptFilter
realloc
malloc
??3@YAXPAX@Z
??2@YAPAXI@Z
_except_handler3
sprintf
strstr
strchr
fclose
fwrite
fseek
fopen

Sections

.text
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 135KB - Virtual size: 134KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

bd3bd3c2e07d375d5b09afb53aa982a5

Code Sign

2e:ab:11:dc:50:ff:5c:9d:cb:c0Certificate

Extended Key Usages

Key Usages

61:06:27:81:00:00:00:00:00:08Certificate

Extended Key Usages

Key Usages

61:49:7c:ed:00:00:00:00:00:05Certificate

Extended Key Usages

Key Usages

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2Certificate

Extended Key Usages

Key Usages

71:a6:34:ce:12:bd:e6:28:10:ca:73:93:05:12:bc:ce:62:d2:85:77Signer

Signature Validations

Verification

04/02/2009, 03:39 Valid: false

Headers

File Characteristics

Imports

kernel32

user32

advapi32

msvcrt

Sections

.text Size: 9KB - Virtual size: 9KB

.rsrc Size: 135KB - Virtual size: 134KB

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

61:06:27:81:00:00:00:00:00:08
Certificate

61:49:7c:ed:00:00:00:00:00:05
Certificate

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

71:a6:34:ce:12:bd:e6:28:10:ca:73:93:05:12:bc:ce:62:d2:85:77
Signer

04/02/2009, 03:39
Valid: false

.text
Size: 9KB - Virtual size: 9KB

.rsrc
Size: 135KB - Virtual size: 134KB